Creating Processes

I’ve often seen on this list that a kernel mode driver can’t create a process,
that a user-mode helper service is required. Now, point out to me if my logic
is flawed, but if kernel mode components can’t create user mode processes,
then by that statement alone SMSS shouldnt start, and if that doesnt start,
well then Im not typing this message into outlook right now. Obviously, thats
not the case, so what is the reason that kernel mode drivers cant create processes.
Is it because they wont be registered with CSRSS and hence wont have any access
to the Win32 APIs or is it something else entirely?

Asa

Gary Nebbet reports a ZwCreateProcess in his chapter 6. His
examples 6.1 and 6.2 show how to fork or create a Win32 process.
I didn’t use his technique, but I have no reason to believe it
doesn’t work.

Alberto.

----- Original Message -----
From: “Asa Yeamans”
To: “Windows System Software Devs Interest List”

Sent: Saturday, March 05, 2005 3:40 AM
Subject: [ntdev] Creating Processes

I’ve often seen on this list that a kernel mode driver can’t
create a process,
that a user-mode helper service is required. Now, point out to
me if my logic
is flawed, but if kernel mode components can’t create user mode
processes,
then by that statement alone SMSS shouldnt start, and if that
doesnt start,
well then Im not typing this message into outlook right now.
Obviously, thats
not the case, so what is the reason that kernel mode drivers
cant create processes.
Is it because they wont be registered with CSRSS and hence wont
have any access
to the Win32 APIs or is it something else entirely?

Asa


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

SMSS is started by RtlCreateUserProcess, which is completely undocumented.

Also yes, the CSRSS registration problem, the environment variables
problem, the possible GDI/USER registration problem, the possible security
context problem, and the stdin/stdout problem.

Why even start the user process from driver? If your process is not planned
to use any UI - then run a service. Otherwise, create a small app which will be
started by Run key at shell startup. These processes will sit forever waiting
for some events on your driver. You can do them very lightweight - for
instance, only the “wait for events” code is in the EXE, and all real work is
in DLL which is loaded and freed as necessary.

I think you can also use a DLL shell extension add-on, like the network
connection tray icon.

Also the security issue. Modern Windows allow the services to show UI using
some perversions like settting the service’s WinSta. This is a security hole,
and David LeBlanc promised it to be blocked 100% in future Windows. So, if you
need UI, forget services and use either Explorer add on DLLs or the app started
by Run key.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Asa Yeamans”
To: “Windows System Software Devs Interest List”
Sent: Saturday, March 05, 2005 11:40 AM
Subject: [ntdev] Creating Processes

I’ve often seen on this list that a kernel mode driver can’t create a process,
that a user-mode helper service is required. Now, point out to me if my logic
is flawed, but if kernel mode components can’t create user mode processes,
then by that statement alone SMSS shouldnt start, and if that doesnt start,
well then Im not typing this message into outlook right now. Obviously, thats
not the case, so what is the reason that kernel mode drivers cant create
processes.
Is it because they wont be registered with CSRSS and hence wont have any access
to the Win32 APIs or is it something else entirely?

Asa


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

It is quite possible!

By using lots of undocumented techniques, you can create a user process from
the kernel mode driver if you know what to do and how to deal with internals
of NT.

But the point is why would such a requirement be ever needed? If this is a
case, the revision of such a poor specification is required!

I can’t see any legitimate reason except for writing better(or worse)
rootkits for doing so.

Egemen Tas

-------Original Message-------

From: Asa Yeamans

Date: 03/05/05 10:42:55

To: Windows System Software Devs Interest List

Subject: [ntdev] Creating Processes

I’ve often seen on this list that a kernel mode driver can’t create a
process,

that a user-mode helper service is required. Now, point out to me if my
logic

is flawed, but if kernel mode components can’t create user mode processes,

then by that statement alone SMSS shouldnt start, and if that doesnt start,

well then Im not typing this message into outlook right now. Obviously,
thats

not the case, so what is the reason that kernel mode drivers cant create
processes.

Is it because they wont be registered with CSRSS and hence wont have any
access

to the Win32 APIs or is it something else entirely?

Asa


Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’

To unsubscribe send a blank email to xxxxx@lists.osr.com

Curiosity is the main drive behind the question. I’ve always seen it said
that its not possible, but for some reason in my mind, that couldnt have
been the whole story, otherwise as I mentioned in my initial post, I wouldnt
be typing this email.

I simply find the internals of the NT OS and its design to be utterly
fascinating, Im still trying to wrap my mind around the asynchronicity (sp?)
of the windows kernel, how it doesnt use the simple call stack structure like,
um, other SYNCHRONOUS OS’s, but rather a whole new concept (to me) of
maintaining function call state that lends itself to an asynchronous nature
rather easily as well as facilitating making *everything* pre-emptable from day
one, unlike that OTHER SYNCHRONOUS OS.

If anyone can recommend any good books on the OS internals besides Russinovich’s
Windows Internals v4 and the Nebbet book on NT Syscalls, id much appreciate it.

Asa

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Egemen Tas
Sent: Saturday, March 05, 2005 1:37 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Creating Processes

It is quite possible!

By using lots of undocumented techniques, you can create a user process from
the kernel mode driver if you know what to do and how to deal with internals
of NT.

But the point is why would such a requirement be ever needed? If this is a
case, the revision of such a poor specification is required!

I can’t see any legitimate reason except for writing better(or worse)
rootkits for doing so.

Egemen Tas

-------Original Message-------

From: Asa Yeamans

Date: 03/05/05 10:42:55

To: Windows System Software Devs Interest List

Subject: [ntdev] Creating Processes

I’ve often seen on this list that a kernel mode driver can’t create a
process,

that a user-mode helper service is required. Now, point out to me if my
logic

is flawed, but if kernel mode components can’t create user mode processes,

then by that statement alone SMSS shouldnt start, and if that doesnt start,

well then Im not typing this message into outlook right now. Obviously,
thats

not the case, so what is the reason that kernel mode drivers cant create
processes.

Is it because they wont be registered with CSRSS and hence wont have any
access

to the Win32 APIs or is it something else entirely?

Asa


Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’

To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@rivin.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Asa Yeamans wrote:

I’ve always seen it said
that its [i.e. creating a process from kernel mode] not possible, but for
> some reason in my mind, that couldnt have been the whole story,
> otherwise as I mentioned in my initial post, I wouldnt be typing this
email.

Of course it’s possible. If it wasn’t possible, the system would have a
bloddy hard time starting itself, I reckon. Plus, what could the
activity of starting a process in user mode possibly due except send
system calls to the OS? It’s not like there’s some magic user-mode
component that has the mystical ability to create processes :slight_smile:

I suspect when you’ve seen the answer “it isn’t possible” what people
are actually saying is “it’s not possible given what’s currently
documented”, and “given that there are other, safer, documented, ways to
accomplish this same goal, it’s not worth going through the trouble to
do this from kernel mode.”

Regarding:
> I simply find the internals of the NT OS and its design to be utterly
> fascinating, Im still trying to wrap my mind around the asynchronicity
> of the windows kernel, how it doesnt use the simple call stack
structure like,
> um, other SYNCHRONOUS OS’s, but rather a whole new concept (to me) of
>

It IS very different than other SYNCHRONOUS OS’s. Note that Windows
uses several of Cutler’s “signature” design features, and the thread
stealing concept is one of them. The first OS that Cutler’s designed at
DEC (RSX-11M for the PDP-11) worked this way. And THAT was designed in
the 70’s.

FWIW, I grew-up on Cutler-designed OS’s and I found the design concepts
in those other SYNCHRONOUS OS’s to be very difficult to understand at
first :slight_smile:

Peter
OSR